Kerberos FAQ, v2.0 (last modified 8/18/2000)

Table of Contents:
* 0. Introduction
* 1. General information about Kerberos
o 1.1. What is Kerberos?
o 1.2. Where does the name "Kerberos" come from?
o 1.3. Hey! I remember my Greek mythology, and I thought the dog
that guarded the entrance was called Cerberus! What gives?
o 1.4. Where can I find out more information about Kerberos?
o 1.5. What is the latest version of Kerberos available from MIT?
o 1.6. Are there any other free version of Kerberos available?
o 1.7. What are the differences between Kerberos Version 4 and
Version 5?
o 1.8. What are the differences between AFS Kerberos and "normal"
Kerberos?
o 1.9. What is the format of principals?
o 1.10. How are realms named? Do they really have to be uppercase?
o 1.11. What is ASN.1?
o 1.12. I see the acronyms TGT and TGS used a lot. What do they
mean?
o 1.13. What is the export status of Kerberos?
o 1.14. What is a "Kerberos client", "Kerberos server", and
"application server"?
o 1.15. I use software package <foo>, and it claims it supports
Kerberos. What does that mean?
o 1.16. What is cross-realm authentication?
o 1.17. Are there security risks involved in cross-realm
authentication?
o 1.18. Are there any known weaknesses in Kerberos?
o 1.19. What is preauthentication?
o 1.20. Why do I need to synchronize my system clocks to run
Kerberos?
o 1.21. What computer vendors support Kerberos?
o 1.22. Can I use Kerberos 4 clients with Kerberos 5? How about the
reverse?
o 1.23. What is a "key salt"? "kvno"?
o 1.24. Does Kerberos support multi-homed machines?
o 1.25. What is "user to user" authentication?
o 1.26. What are forwardable tickets?
o 1.27. What are renewable tickets?
o 1.28. What are postdatable tickets?
o 1.29. What are the advantages/disadvantages of Kerberos vs. SSL?
o 1.30. What are proxiable tickets?
* 2. Administration questions
o 2.1. Okay, I'm the administrator of a site, and I'd like to run
Kerberos. What do I need to do?
o 2.2. What sort of resources do I need to dedicate to a KDC?
o 2.3. What programs/files need to go on each application server?
o 2.4. What programs/files need to go on each client?
o 2.5. There's a lot of stuff in the krb5.conf and kdc.conf files.
What does it all mean, and what do I really need?
o 2.6. How do I change the master key?
o 2.7. How do I set up slave servers?
o 2.8. What do I need to do to make V4 clients work with my V5 KDC?
o 2.9. I just added a host key to a machine with ktadd, and the kvno
got incremented! What just happened?
o 2.10. How do I run kadmin from a shell script unattended?
o 2.11. I can't use kadmin to talk to the admin server of another
realm. What am I doing wrong?
o 2.12. We run AFS at our site currently. Is there a way we can run
Kerberos along with AFS?
o 2.13. Employee <X> just left the company, and he had root on our
KDC. What should I do?
o 2.14. How should I configure my DNS for Kerberos?
o 2.15. What do I need to do to setup cross-realm authentication?
o 2.16. Can I configure the admin server to reject bad passwords?
o 2.17. Is there a hook I can use to do further password checking?
o 2.18. How come the "Last xxx" fields in the Kerberos database
don't seem to get updated?
o 2.19. What does krb524d do? Do I need to run it?
o 2.20. What is v5passwdd? Do I need to run it?
o 2.21. How do a rename a principal?
o 2.22. What is the difference between the "-a valid" and the "-a
user" flags for telnetd?
o 2.23. I already have a standard Unix password database for my user
population. Can I convert this to a Kerberos password database?
o 2.24. Can I have multiple realms on a single KDC?
o 2.25. What is the kadm5.acl file?
* 3. User and application questions
o 3.1. What happens when my tickets expire?
o 3.2. How do I run a cron job with Kerberos authentication?
o 3.3. How do I use renewable tickets?
o 3.4. What is the .k5login file, and how do I use it?
o 3.5. I've hear Microsoft will support Kerberos in Windows 2000. Is
that true?
o 3.6. How can I be authenticated as two different principals at the
same time?
o 3.7. How come Kerberos rlogin works to a machine, but when I use
Kerberos telnet I'm still asked for a password?
o 3.8. How do I use Kerberos telnet/rlogin to connect to a system as
a userid other than my current one?
o 3.9. Is there any way to do Kerberos authentication across the
WWW?
o 3.10. Is there a way to use Kerberos to authenticate my X windows
connections? I tried compiling the Kerberos support in X, but it
didn't work.
o 3.11. I need to use Kerberos through a firewall. What does my
firewall administrator need to do?
* 4. Error messages and other problems.
o 4.1. "No such file or directory"
o 4.2. "Decrypt integrity check failed"
o 4.3. "Cannot find/read stored master key"
o 4.4. "Incorrect net address"
o 4.5. "Initial Ticket response appears to be Version 4 error"
o 4.6. "Message stream modified"
o 4.7. "Illegal cross-realm ticket"
o 4.8. "Couldn't authenticate to server: Bad sendauth version was
sent"
o 4.9. When I try using Kerberos ftp, it doesn't work, but it says,
"No error".
o 4.10. When I telnet from a Linux machine to a Solaris machine with
Kerberos and hit Ctrl-C, the connection hangs.
* 5. Programming with Kerberos.
o 5.1. How do I start programming with Kerberos?
o 5.2. What is GSSAPI?
o 5.3. What is SASL?
o 5.4. Is there a reference for the Kerberos API?

User Contributions:

Comment about this article, ask questions, or add new information about this topic: